OAuth Signature

Short version, trying to use an API that uses OAuth, and requires sending an oauth_signature along with the headers. All the API side of things I have down, but I think the problem I’m having is with getting the correct oauth_signature to send along with everything.

The OAuth documentation, Appendix A.5.2 ( OAuth Core 1.0a ) says “HMAC-SHA1 produces the following digest value as a base64-encoded string (using the Signature Base String as text and kd94hf93k423kf44&pfkkdhi9sl3r4s00 as key):
tR3+Ty81lMeYAr/Fid0kMTYa/WM=

Surprise, I don’t get that result.

I can’t see what I’m missing - I think I just need a fresh pair of eyes to point out what obviously dumb thing I keep overlooking (hopefully). Here’s the powershell I’m using:

$SignatureBaseString = "text"
$SignatureKey = " kd94hf93k423kf44&pfkkdhi9sl3r4s00"

$sha = [System.Security.Cryptography.HMACSHA1]::New(([System.Text.Encoding]::utf8.GetBytes($SignatureKey)))

[System.Convert]::ToBase64String($sha.ComputeHash([System.Text.Encoding]::utf8.GetBytes($SignatureBaseString)))

Things I already tried that everyone will be right to ask whether I checked:

  • Checking if the encoding was the problem
  • Checking if [system.uri]::EscapeDataString($SignatureKey) was needed
    — Every permutation of both gives me an incorrect digest.

If you are talking about OAuth 1.0a, the signature will change for a given API call at a given timestamp. An OAuth 1.0a based call is difficult to implement. It took me a few days to get it correct. I’ve originally wrote a PowerShell custom class to handle this. You can check out a command, like Get-TwitterUser and definitely Invoke-TwitterRequest on how it works.

I’ve since replaced it with C# classes, the primary one being this Authentication class. I have some Pester tests that I haven’t uploaded that I used in validating this class. Let me know if you are interested in them.

And, I’m in the process of replacing that with a third-party Twitter C# library.